What is OAuth? Operation, pros and cons of this standard

Sometimes online services must interact with each other, for example, if the Bitly URL shortener would like to post to your Twitter timeline, instead of asking you to enter your password, a protocol called Open Authorization (OAuth) is used, as mentioned by data protection specialists. OAuth helps users simplify the process of accessing some platforms, although it is important to have some considerations, as this is our personal information.

OAuth is an open standard authorization protocol that helps applications to obtain “secure designated access”, allowing services such as Facebook to authorize companies such as ESPN.com access to the user profile without the need to share data subject’s access credentials. If a third-party site (in this example ESPN) suffered a data security incident, the Facebook user’s password remains secure.

Instead of sharing users’ passwords, OAuth uses authorization tokens to prove an identity between consumers and service providers, allowing one application to interact with another without passwording, mentioned data protection experts.

According to specialists, OAuth is about authorization, not authentication; instead of sharing data with other platforms, OAuth works as an authorization token without involving the user’s sensitive information. To explain it with an everyday example, think of OAuth as a valet parking ticket, this ticket authorizes the valet to start a car and deliver it to the customer, but does not give access to the glove compartment, trunk or any property that is inside the car.

Three factors are involved in an OAuth process: user, consumer, and service provider. The following is an example involving the three actors: the JOHN user, the CONSUMER BITLY, and the TWITTER service provider. JOHN wants BITLY to be able to publish clipped links to its TWITTER timeline, which involves the following process:

1. The user shows his intention

– JOHN (User): “Hello, BITLY, I’d like you to post links directly on my TWITTER timeline”.

– BITLY (Consumer): “Well, I need to request permission”.

2. The consumer obtains permission

– BITLY: “A user wants me to be able to publish to their timeline. Could you get a request token?

– TWITTER (Service Provider): “Sure. Here’s a token and a secret.” Secrecy is used to prevent the forgery of applications.

3. The user is redirected to the service provider

– BITLY: “OK, JOHN, I will redirect you to Twitter so you can approve the application, take this tab with you.

– JOHN: “Good”.

This is where the trouble begins. If BITLY was a malicious company it could open a window similar to a TWITTER request box that could actually be a phishing window to extract the user’s login credentials. International Institute of Cyber Security (IICS) data protection specialists recommend users always verify the URL of the site to which they are redirected at the time of making an OAuth request.

4. The user grants permission

– JOHN: “TWITTER, I would like to authorize this request token that BITLY gave me”.

– TWITTER: “Well, just to be sure, do you authorize BITLY to post to your timeline using your TWITTER account?

– JOHN: “Yes”

– TWITTER: “Well, go back to BITLY to confirm that you have permission to use your request token.

5. Consumer gets an access token

– BITLY: “TWITTER, can I change this request token to an access token?”

– Twitter: “Sure. Here’s your access token and the secret.”

6. The consumer accesses protected resources

– BITLY: “I would like to post this link on the JOHN timeline using my access token.

– TWITTER: “Very Good”.

As can be seen, JOHN never shared its access credentials with BITLY, but access was granted using OAuth securely. According to data protection specialists, JOHN will be able to access TWITTER and review the permissions it has granted to BITLY and other consumers, as well as revoke them at any time.

The main drawback is that this standard is not foolproof, so some threat actors could take advantage of some unsuspecting user to gain broad access to their online accounts and even steal their login credentials, exposing victims of other kinds of attacks.